Bug#305601: CAN-2005-0404: serious content spoofing vulnerability

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#305601: CAN-2005-0404: serious content spoofing vulnerability
From: "Geoff Crompton" <geoffc@strategicdata.com.au>
Date: Thu, 21 Apr 2005 10:34:51 +1000
Message-id: <20050421003455.D9BABC0014E0@sd01.mel.strategicdata.com.au>
Reply-to: "Geoff Crompton" <geoffc@strategicdata.com.au>, 305601@bugs.debian.org

Package: kmail
Severity: grave
Justification: user security hole

For more information see:
http://www.securityfocus.com/bid/13085

In summary:
> A remote email message content spoofing vulnerability affects KDE
> KMail.  This issue is due to a failure of the application to properly
> sanitize HTML email messages.
> An attacker may leverage this issue to spoof email content and various
> header fields of email messages.  This may aid an attacker in
> conducting phishing and social engineering attacks by spoofing PGP
> keys as well as other critical information.

securityfocus list 3.3.2 as vulnerable, which is currently in Sarge and
Sid. No idea if it would affect 2.2.2 which is in Woody.

See KDE bug 96020.

Work around is to disable HTML email.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Reply to:

Follow-Ups:
- Bug#305601: CAN-2005-0404: serious content spoofing vulnerability
  - From: Christopher Martin <christopher.martin@utoronto.ca>

Prev by Date: Bug#305481: knode: Disable automatic setting of Followup-To header for cross-posted articles
Next by Date: Re: KDE 3.4: kolabwizard doesn't find its own shared library
Previous by thread: Bug#305481: knode: Disable automatic setting of Followup-To header for cross-posted articles
Next by thread: Bug#305601: CAN-2005-0404: serious content spoofing vulnerability
Index(es):
- Date
- Thread